Online advertising has been a hot topic for the past week or so, with Ars Technica trying out an interesting, somewhat desperate experiment wherein they blocked access to their content for people using Adblock. Of course, if this were to become some kind of movement among publishers, it would probably just spark a technological cat-and-mouse game that would surely be reminiscent of DRM cracking or iPhone jailbreaking. But in their post-mortem, Ars states that it was a worthwhile awareness campaign, and I hope that's true. But I thought it would be a good idea to try to bring the collective OSNews brainpower together and crowdsource the idea of how to raise money for a web site in an age where advertising is increasingly un-viable.

When you click on a Google link, you have no idea where that link will take you, or what JS it might execute

Incorrect. It will execute no javascript, unless I have explicitly allowed it to do so. And, actually, yes, I do know exactly where that link will take me, if I'm running my preferred browser and addons (will an RDR-alike extension come out for Chrome? Chrome seems to have almost everything else, now...). I prefer not to follow obfuscated links.

However, when it comes to ads, it's suddenly a problem?

No, it's suddenly a more annoying problem. I've been to forums with looping JS in the background that eats too much CPU with enough tabs open, and sites that leak memory with their JS over time. But, it's easy to just purse my lips, and temporarily disable JS on a site for an occasional occurrence of buggy code.

Ads, however, may move windows, make new windows, change focus, replace context menus, or freeze browsers for a time (slow servers, which is also a browser coding problem, but also inefficient JS), and have managed to consistently thwart browser settings to the contrary (which is bypassed depends on the browser used, and Opera seems to be best, here), necessitating either avoidance of the content they come with, or ad-blocking. Then there's the silly ones that cover content with an ad page, so if you have JS disabled by default, you can read content, but if it is enabled by default, you've got another 5-10 seconds just to load this ad page and a skip button (Heaven forbid they get served up as fast as the site you're trying to go to).

Also, 3rd-party ads loaded from news sites that use JS have been the only vector for any malware I've recently received (no worries: either the browser didn't have a clue what to do with the file, prompting me to Google it; or, AV caught it, if on Windows). It's no wonder malware spreads as it does, since even those experiences are in the short window between a working OS install, and a fully updated and configured install.

Not all ad services are that bad, but they get on the same block list(s) as those that are. Yet, those safer ones are just as much of a privacy risk, even the security risk is reduced.

Those running a site need to have, inspect, and approve every ad, and keep it on their server(s). Drive-by ads are going to continue being a security and privacy risk. The immediately obvious problem with this model is that it all but requires clicks as the only reliable mechanism to measure anything about ads, since you could doctor page view data.